Password changes a must after world’s largest hacked credential drop

By Darren PauliDecember 14, 2017

We are recommending that people change their online account passwords after a database of 1.4 billion cleartext (unencrypted) credentials leaked into the public internet. The database has been compiled using data obtained from over 250 high profile global security breaches of private domains (none of which are associated with our network, assets or services).

The leak, the largest in history, offers criminals a clean human-readable list of email addresses and passwords which could be used to gain unauthorised access to a large number of accounts automatically and at breakneck speed.

Its clean formatting structure, in which credentials are presented as ‘email: password’ and nested in a highly organised fashion, means it stands apart from other breach listings which are typically jumbled and difficult for criminals to make easy use of.

Email accounts listed in the database are most at risk of compromise, however, criminals can and do test those credentials against a variety of popular websites in the event that individuals caught up in this breach have reused their password.

An easy way to maintain unique and complex passwords across your accounts is via the use of a password management tool, allowing you to make password management set-and-forget.

LastPass is one of a handful of offerings and is a free-of-charge application that works on web browsers, iOS, and Android, allowing you to set unique and highly complex passwords while needing to remember only one ‘master password’.

We also advise that you do not register for personal online accounts using your work email address. This is because criminals will likely attempt to use your work email address and exposed password to break into your work accounts.

An example could be that a customer has used their work email, allanc@businessname.com.au, to sign up to an online florist using the same password. If that florist was breached, criminals could deduce from the email address the customer’s place of work and then use the email address and exposed password to log into that business.

Darren is an information security reporter with more than a decade's experience in the beat. He came to Telstra's cyber security unit after serving as an infosec correspondent for various tech-focused publications. You'll find Darren in his spare time pursuing all things fitness and breaking things on his motorbike and around the house.